NAME

auristorfs_key_rotation - AuriStorFS Key Rotation Using Acceptor Only Keys

DESCRIPTION

Key rotation can be difficult because there is a risk of a single point of failure if a shared key starts being used for new connections before all of the servers have knowledge of the key. AuriStorFS addresses these risks by introducing the concept of acceptor-only keys. Acceptor-only keys cannot be used to initiate new connections. Therefore, such keys can be safely distributed to servers without risk that the keys might be used before the accepting server has received its copy of the key.

ADDING A NEW KEY

The asetkey(8) add sub-command adds a key to /etc/yfs/server/KeyFileExt that can be used both for initating outgoing and accepting incoming connections. Adding a new key that can be used for initiating outgoing connections before the key is available on the accepting server can result in communication failures.

The asetkey(8) add-acceptor sub-command adds an acceptor-only key to /etc/yfs/server/KeyFileExt that will only be used when accepting connections. This makes it safe to add new keys without the risk that a service restart prior to the distribution of the updated /etc/yfs/server/KeyFileExt to all systems might result in the premature use of a new key to secure subsequent initiated connections.

After the /etc/yfs/server/KeyFileExt with the acceptor-only key has been deployed to all AuriStorFS servers and the /etc/yfs/server/yfs-server.conf file has been touched or the servers restarted, then the asetkey(8) promote-acceptor sub-command can be executed to convert the acceptor-only key to a normal key that can be used when initiating connections.

REMOVING AN OLD KEY

The asetkey(8) delete sub-command removes a key from /etc/yfs/server/KeyFileExt preventing it from being used for either initating outgoing or accepting incoming connections. Removing a key from a server that might be used by an initiating server can result in communication failures.

The asetkey(8) demote-to-acceptor sub-command converts a normal key to an acceptor-only key that will only be used when accepting connections. Once the key is acceptor-only on all servers it is safe to remove the key from /etc/yfs/server/KeyFileExt.

A KEY ROTATION RECIPE

The key rotation pattern using acceptor-only keys is:

  1. execute asetkey(8) add-acceptor to add a new acceptor-only key to /etc/yfs/server/KeyFileExt

  2. on each server in the cell

    1. deploy updated /etc/yfs/server/KeyFileExt

    2. touch /etc/yfs/server/yfs-server.conf

  3. execute asetkey(8) promote-acceptor to promote the acceptor-only key to a normal key in /etc/yfs/server/KeyFileExt

  4. on each server in the cell

    1. deploy updated /etc/yfs/server/KeyFileExt

    2. touch /etc/yfs/server/yfs-server.conf

  5. execute asetkey(8) demote-to-acceptor to convert the old key to an acceptor-only key in /etc/yfs/server/KeyFileExt

  6. on each server in the cell

    1. deploy updated /etc/yfs/server/KeyFileExt

    2. touch /etc/yfs/server/yfs-server.conf

  7. execute asetkey(8) delete to remove the old acceptor-only key from /etc/yfs/server/KeyFileExt

  8. on each server in the cell

    1. deploy updated /etc/yfs/server/KeyFileExt

    2. touch /etc/yfs/server/yfs-server.conf

WARNINGS

Note that this procedure only works for yfs-rxgk and rxkad_k5 keys. It will not work for rxkad keys (56-bit DES).

This procedure is not applicable to rotating the keys in the /etc/yfs/server/vl.keytab and /etc/yfs/server/bos.keytab Kerberos v5 keytabs. All keys stored in the Kerberos v5 keytab files are inherently acceptor-only. The procedure for rotating Kerberos v5 service principal keys in the Kerberos KDC is implementation specific.

SEE ALSO

KeyFileExt(5), asetkey(8), bos.keytab(5), vl.keytab(5), yfs-server.conf(5)

COPYRIGHT

Copyright AuriStor, Inc. 2014-2021. https://www.auristor.com/ All Rights Reserved.

ACKNOWLEDGEMENTS

"AFS" is a registered mark of International Business Machines Corporation, used under license. (USPTO Registration 1598389)

"OpenAFS" is a registered mark of International Business Machines Corporation. (USPTO Registration 4577045)

The "AuriStor" name, log 'S' brand mark, and icon are registered marks of AuriStor, Inc. (USPTO Registrations 4849419, 4849421, and 4928460) (EUIPO Registration 015539653).

"Your File System" is a registered mark of AuriStor, Inc. (USPTO Registrations 4801402 and 4849418).

"YFS" and "AuriStor File System" are trademarks of AuriStor, Inc.